I3:FeatureTest-Identity Selector DOS Avoidance
From OSIS Open Source Identity Systems
|list help copy as XML edit|
|Feature Test||Identity Selector DOS Avoidance|
|Test Type||Selector Invocation|
|Description||Tests that it is possible to escape a DOS loop where control is constantly sent to the selector|
|Role tested||Information Card Identity Selector|
|Known Successful Reference Solution(s)|
|Success Criteria||Selector is triggered (note that the transaction does not need to complete)|
|Failure Criteria||Selector is not triggered|
|Provide ability to disable Selector invocation to prevent denial of service by malicious relying parties||Information Card Identity Selector||condition|
- Note #2: this test will loop 20 times - long enough to try things to get out, but not indefinite. If you cannot escape the loop, just keep cancelling/exiting the selector, and control will eventually be restored.
- Note #3: The test is merely a form containing an information card object that posts to itself 20 times in a row. If you want to see exact source code, as meager as it is, contact Pam.
- Open the result page for the solution for this particular featuretest.
- In a different browser tab or window, open the link to the test (listed above)
- Selector should immediately open -- if it does, choose to exit, or cancel (if you submit a card, it won't be read)
- Every time you exit the selector, you will be redirected back to a page which yet again auto-submits the selector.
- In the case of selectors which take control away from the user, there should be some way to disable the selector from starting the next time around, so that the evil looping code can be dealt with.
- Set outcome:
- If there was a way to pause and/or disable invocation of the Selector in order to terminate the loop, set the outcome to Works
- If you cannot get out of the loop, set the outcome to Fails
- If you saw specific issues, mark the outcome as "Issues" and outline the issues by commenting on the "Talk" tab of this page
- Add either four tilde ~~~~ signs or a text name into the "testedby" parameter
- Update the date tested, operating systems, and tested solutions parameters of the results page